PAKEs Dependencies are outdated

Dependencies are outdated

Open piegamesde opened this issue 3 years ago • 6 comments

See https://deps.rs/repo/github/RustCrypto/PAKEs and https://github.com/magic-wormhole/magic-wormhole.rs/issues/114

Mar 23 '21 20:03 piegamesde

Unless there's an urgent need to update them, I'd suggest tackling this after the cipher v0.3 release

Mar 24 '21 15:03 tarcieri

You decide whether RUSTSEC-2020-0146 is "urgent" enough or not.

Mar 24 '21 16:03 piegamesde

You should be able to address that by upgrading to generic-array v0.12.4.

Mar 24 '21 16:03 tarcieri

All my dependencies on generic-array are up to date, except the one introduced by spake2.

Mar 24 '21 16:03 piegamesde

spake2 uses generic-array ^0.12.

generic-array v0.12.4 was released to address RUSTSEC-2020-0146.

If you have generic-array v0.12.4 in your Cargo.lock, then you should get a clean bill of health from cargo audit.

Mar 24 '21 16:03 tarcieri

Oh I'm sorry, I didn't know version 0.12.4 also contained the patch. Nevermind then, it's not urgent.

Mar 24 '21 17:03 piegamesde